Total Tests:

OWASP TOP 10 in 2021

This page contains a glossary of the OWASP TOP 10 application security risks and serves as a navigation guide through the most widespread vulnerabilities in modern web applications and APIs:

A1. Injection

OWASP A1 (Injection) covers diversified injection vulnerabilities and security flaws including SQL and NoSQL injections, OS command injection and LDAP query manipulations. Injection vulnerabilities are usually caused by improper or insufficient input validation by the web application. Injections allow remote attackers to inject, alter or execute arbitrary code, SQL queries or commands on the vulnerable system, leading to data exfiltration, website and even entire web server breach. Read more about injections.

A2. Broken Authentication

OWASP A2 (Broken Authentication) security vulnerabilities are related to insufficient authentication or incorrect session management by the web application. Remote attacker might be able to bypass poorly implemented authentication validation process to gain unauthorized or excessive access to the web application or impersonate other application’s users. Under certain conditions, broken authentication may lead to compromise of the web server and the related infrastructure such as databases or connected cloud storage. Read more about broken authentications.

A3. Sensitive Data Exposure

OWASP A3 (Sensitive Data Exposure) security flaws commonly from flawed web application’s architecture or various application logic errors. Sensitive data exposure, as its name suggests, often leads to disclosure of personal data, financial information, healthcare records or other regulated data. Likewise, compromised data can be exploited against web application users in phishing attacks, identity theft and social engeneering campaigns. Read more about sensitive data exposures.

A4. XML External Entities

OWASP A4 (XML External Entities) is mostly represented by XXE attacks that occur in web applications designed to handle or process XML documents. Though this fairly sophisticated vulnerability may be quite time-consuming to exploit, in case of success, the attacker will be able to disclose sensitive information, view system files, connect to internal web server’s resources and even execute arbitrary code on the vulnerable system to eventually compromise the web server or cloud instance where the application is hosted. Read more about XML external entities.

A5. Broken Access Control

OWASP A5 (Broken Access Control) include improper, weak or otherwise flawed access restrictions and privilege management errors that may allow remote attacker to gain access to restricted resources of the web application or of its environment. This business-logic vulnerability frequently occurs in insecure implementations of RESTful APIs and HTTP/S microservices, where an unprivileged user can gain access to the data or functionality intended for other application users or for privileged users only. Read more about broken access controls.

A6. Security Misconfiguration

OWASP A6 (Security Misconfiguration) security weaknesses are mostly about erroneous or insecure configuration of web application and its environment. In case of successful exploitation, combined with other security vulnerabilities from the OWASP Top Ten list, security misconfigurations may cause a considerable damage and disastrous data breaches. For instance, the attacker may be able to bypass security restrictions, gain unauthorized admin access to the system and eventually compromise the web application and web server environment. Read more about security misconfigurations.

A7. Cross-Site Scripting

OWASP A7 (Cross-Site Scripting / XSS) covers one of the most popular web application vulnerabilities and should probably be on top of the OWASP Top 10 ranking. One of the particularities of this omnipresent vulnerability is that it is exploited on against the website users and thus requires interaction with the victim. For example, attacker can inject malicious JavaScript code and execute it in the victim’s browser once the victim follows a link with the XSS payload or opens a specific page with a stored XSS exploit. Sophisticated exploitation of the vulnerability against privileged web application users may lead to takeover of the entire web application and facilitates phishing or drive-by-download attacks against your website visitors. Read more about XSSs.

A8. Insecure Deserialization

OWASP A8 (Insecure Deserialization) vulnerability is fairly complex to exploit and is comparatively time-consuming and thus infrequent to find in web applications. Nonetheless, popular WordPress CMS and its countless plugins were vulnerable to critical RCE vulnerabilities via PHP deserialization attacks. Non-sanitized deserialization of untrusted data, received from remote attacker, often leads to remote code execution (RCE) on the vulnerable system. Other attack vectors are also possible, such as exploitation of injection flaws, elevation of privileges within the application or replay attacks. Read more about insecure decentralization.

A9. Using Components with Known Vulnerabilities

OWASP A9 (Using Components with Known Vulnerabilities) class of OWASP Top 10 vulnerabilities primarily covers known security vulnerabilities both in simple open-sourced software and complex proprietary web applications by such vendors as Microsoft, Oracle or SAP. Modern web applications usually consist of numerous interconnected web and cloud-based components, and may include interrelated JavaScript libraries, frameworks, modules and plugins. A single vulnerable component can be artfully exploited to compromise your web application and the underlying infrastructure. Therefore, keeping all web application components up2date is extremely important to prevent data breaches in 2021. Read more about using components with known vulnerabilities.

A10. Insufficient Logging and Monitoring

OWASP A10 (Insufficient Logging and Monitoring) is the last element of the OWASP Top 10 list. Timely detection of malicious activities and attacks is essential for modern cyber defenders and includes proper logging of security events, timely reaction to incidents and protection of security logs from tampering or deletion. This can be achieved by implementing holistic and centralized logging for web applications and meticulous monitoring and inspection of anomalous or suspicious HTTP requests or user behavior patterns. Known web attack patterns, spanning from primitive password bruteforcing to seemingly legitimate HTTP requests sent from IP addresses known to participate in hacking campaigns, should be all logged and investigated by the Blue Team or SOC analysts. Read more about insufficient logging and monitoring.

How it Works Ask a Question